The Campaign for Mobile-Phone Voting Is Getting a Midterm Test

On its face, the idea of allowing people to cast their ballots by phone makes sense, but developing a workable online-voting system is more complicated than it might seem.Illustration by Michael Haddad

Bradley Tusk has a plan to fix American democracy. A former high-level staffer for Chuck Schumer and Michael Bloomberg, among others, Tusk has recently been using his political wits to help tech companies sidestep red tape and clear regulatory hurdles. As he recounts in his new book, “The Fixer: My Adventures Saving Startups from Death by Politics,” Tusk has—for better or for worse—convinced authorities across the country to let Uber operate in their cities, figured out how to get the San Jose City Council to allow on-demand home delivery for marijuana, and toppled regulations banning the sale of online homeowners and renters’ insurance. When Uber, the first tech client of his fledgling consulting firm, didn’t have enough cash to pay him, Tusk took half his compensation in equity. As a consequence, he said, “I just got more money than I ever expected to have.”

Now Tusk, who is forty-five, is parlaying his Silicon Valley experience, and the fortune he made in the process, searching for a way to make it easier for people to vote. In the U.S., voter turnout has hovered around fifty-five per cent for Presidential elections since 1972, and is much lower for midterms and primaries. In New York’s gubernatorial primary this year, for example, twenty-four per cent of registered Democrats turned out, which was significantly higher than the ten per cent who bothered to vote in the primary four years ago. If the electorate is made up largely of partisan voters, Tusks believes, we end up electing tendentious, uncompromising politicians who do not represent the more moderate will of the people. “We’re completely polarized, and nothing gets done,” he said. “I don’t see how democracy survives absent radically higher participation.” With his wife, Harper Montgomery, Tusk created Tusk Montgomery Philanthropies, a foundation with two missions, one of which—funding school breakfast programs—is the of kind typically undertaken by the wealthy. The second, though, is either visionary or preposterous, depending on your perspective: the organization aims to crack the nut of voting by mobile phone, something computer scientists have been trying to do, unsuccessfully and in various ways, for the past two decades.

On its face, voting by phone makes sense. Nearly ninety-five per cent of American adults own mobile phones, and rely on them for all sorts of secure transactions. Using them to cast a ballot would seem to be a natural extension, and one that removes many of the impediments that discourage people from voting, such as inconveniently located polling places, limited hours, and long lines. A survey of 3,649 voting-age Americans in 2016 found that about forty per cent would choose the option of Internet voting if it were offered. (Voting by phone app is a variant of Internet voting, since ballots are transmitted over the Internet.)

But implementing a working system is not as simple as it may appear. In 2010, when local election officials in Washington, D.C., were considering an Internet-voting system, they invited a University of Michigan computer-science professor, J. Alex Halderman, and his students to test its security. The group found its first vulnerability “after a few hours of examination” and eventually took control of the system; officials only noticed the breach thirty-six hours into the hack. “Securing Internet voting in practice will require significant fundamental advances in computer security,” Halderman’s team concluded in an academic paper detailing their exploits. “We urge Internet voting proponents to reconsider deployment until and unless major breakthroughs are achieved.”

The D.C. experiment—which was abandoned—was intended to make voting easier for members of the military stationed abroad. Typically, overseas service members vote by mail, using absentee ballots, a process that comes with its own frustrations and inefficiencies: ballots are lost in transit, or arrive late and don’t get counted. Few officials have been more vocal about the problem than Mac Warner, West Virginia’s secretary of state. As he wrote in the Charleston Gazette-Mail last spring, “Having had trouble voting from deployed locations around the world during my 28 years of military and State Department contracting service, upon taking office I vowed to find ways to help West Virginia soldiers vote.”

Around that time, Tusk was hunting for a way to put a new mobile-voting platform—an app called Voatz—to the test. Shelley Capito, the first employee of Tusk’s consulting firm and the daughter of Senator Shelley Moore Capito, of West Virginia, connected Tusk with Warner. In May, Tusk Montgomery spent about a hundred and fifty thousand dollars on a small pilot project in West Virginia, which gave overseas citizens and members of the military stationed abroad the option of using Voatz to cast ballots on their phones. The pilot was open only to residents of two counties, and a total of thirteen voters participated, but it was deemed successful enough that Voatz will be available to overseas voters from twenty-four West Virginia counties in the November midterms. “My premise is that I want more people to vote because I want to change the inputs politicians get so they can get more things done,” Tusk said. “Mac’s position was, Wasn’t it offensive that people who are risking their lives to protect our right to vote, often their votes aren’t really counted?”

The Voatz app was developed by a team led by Nimit Sawhney, who quit his job as a security researcher when the app won first prize in a hackathon at the South by Southwest festival, in 2014. Voatz sells itself as not only a way to vote by phone but a way to have the votes recorded on a blockchain. (Its biggest investor is the venture arm of Overstock.com, one of the first major online retailers to accept payment in bitcoin, the cryptocurrency that brought us the blockchain; Bradley Tusk is not an investor.) A blockchain is a decentralized ledger where encrypted transactions are posted, in order, on a large number of computers, which theoretically makes the record of those transactions immutable. In the case of Bitcoin, anyone can participate in what is known as the mining process, and as a consequence millions of computers across the globe host the blockchain. In the case of Voatz, however, ballots are only transmitted to between four and sixteen “permissioned” computers, and, if those computers agree algorithmically that a ballot is legitimate, it gets recorded and counted. Voatz also uses end-to-end encryption alongside biometric verification—a combination of photo I.D.s, video selfies, and the fingerprint scanner or facial-recognition software built into certain phones—which, according to Sawhney, makes it “significantly safer and more convenient than some of the existing methods used by overseas citizens and military voters.”

The retired Stanford computer-science professor David Dill has been writing about Internet voting since the turn of the century. He is the founder of the election-security organization Verified Voting, which is adamantly opposed to Internet, mobile-phone, and blockchain voting, advocating instead for systems that rely on easily auditable paper ballots. (Voatz is adding a paper-ballot option, but Dill is unconvinced that it is actually verifiable.) “I think it’s a horrible idea,” he said of the voting app. “My position is not that Internet voting is impossible in the sense that perpetual motion is impossible but that there’s a broad consensus among the best computer scientists that it’s not doable with current technology. If somebody comes out and says, ‘Yeah, I’ve got a secure Internet-voting system,’ they’ve got a high burden of proof.”

Advertisement

Both Verified Voting and, more recently, the National Election Defense Coalition have issued reports challenging the security of mobile voting. Researchers poking around the margins of earlier iterations of the Voatz system (which is proprietary and not open to public scrutiny) also found a number of problems with it. “The most basic issue is what happens to the votes before they go on the blockchain,” Dill said. “If the voter is entering a ballot on their smart phone in an app that’s written by Voatz, why should we trust this? Some random company gives us an app, we enter our votes into it, and that app claims to be delivering an encrypted copy of our ballot to be counted. We’re trusting not only the people who wrote the app but the people who implemented the operating system on the smartphone—first, to be honest, and, second, not to have any security holes that would allow a third party to have some malicious app that corrupts the votes.”

To address these concerns, Tusk’s philanthropy hired outside examiners to assess the first West Virginia pilot. The team was led by Andre McGregor, a former F.B.I. cyber special agent who is now the global head of security for TLDR, a company that specializes in blockchain technology. “We were very skeptical on the idea of a mobile voting platform,” McGregor told me in an e-mail. But after a month-long review, he said, “we walked away comfortable in the fact that Voatz demonstrated having well-designed security architecture.” His e-mail laid out, in great detail, all the parts of the Voatz system his team had assessed and approved: “the company's information security policies and procedures, access control, network security, cloud security, application security, operational controls and change management, physical and environmental security, data security, and processes around incident response and threat mitigation.” As Sheila Nix, the president of Tusk Montgomery Philanthropies, pointed out to me, “The system we used in the West Virginia pilot has a lot more security features than what’s currently being done. Right now, people overseas are just e-mailing their ballots back, which has no security at all.”

While Tusk and Nix were working out the details of the West Virginia pilot, they were also talking with election officials in other states, looking for additional mobile-voting platforms and seeking new opportunities to test them out. Vermont, Washington, and Oregon have expressed interest, but the state where mobile voting is most likely to be tried next is Colorado, which has led the nation in voting-system reforms, including automatic ballot delivery, same-day voter registration, a fifteen-day early-voting period, twenty-four-hour ballot-drop boxes, as well as in-person polling places. Amber McReynolds, Denver’s former director of elections, who now runs the National Vote at Home Institute and Coalition, attributes the state’s high voter turnout—in 2016, it was fourth highest in the nation—to an election process that “puts voters first.” “We’re empowering voters to decide when they want to vote and when they want to return their ballot, and not forcing them to go to a specific place at a specific time,” she said. Colorado is also considered one of the most secure places in the country to vote. “We count every ballot, we scan every ballot,” McReynolds said. “We don’t count at polling places, we do it in a central facility with cameras, so the public can see, and we do risk-limiting audits.”

Even so, like West Virginia, Colorado’s overseas military ballots come in over e-mail, and McReynolds and others were also concerned about the barriers to voting that disabled people face. Last January, when she was still in charge of Denver’s elections, McReynolds and a colleague began working with the National Cybersecurity Center of Excellence, a federal research agency based in Colorado Springs, to explore ways to improve mobile voting. The N.C.C.O.E. agreed to research “the best ideas available in both public and private industries around cybersecurity and other emerging technologies.” One that rose to the top was mobile-phone voting on a blockchain. Tusk and Nix signed on as advisers, along with the Colorado secretary of state, the Estonian director of elections (Estonia has used Internet voting since 2005), and the former F.B.I. agent Andre McGregor, among many others.

Unlike West Virginia, which turned to an off-the-shelf app created by a private company, Colorado is working with software developers to build its own open-source mobile-voting platform. “There have been a lot of discussions about how best to do it, who would build it, what a test case would look like,” McReynolds said. As in West Virginia, Tusk would foot the bill, which he estimates to be around half a million dollars. He is hopeful that a successful mobile-voting system in Colorado will be shared with other states once it has been proved to work. “We’re totally vender agnostic,” Tusk said. “We’re even technology agnostic. It’s not about voting on a blockchain. If something emerges tomorrow that is better than blockchain voting, that’s totally fine with me. I don’t care. I just want to see mobile voting happen.”

Tusk has also invited a team of hackers, led by Jake Braun, an organizer of the Def Con Voting Village, where hackers take aim at electronic voting machines, to consult on Colorado’s new platform. “I didn’t call him, he called me,” Braun said. “If the voting-machine venders had the same way of looking at this as Bradley does, we’d all be in a hell of a lot better place.” Even during the development stage, Tusk asked Braun to “bring in the best of the best” to search out the system’s potential vulnerabilities, a process that’s still ongoing. “We’re working with these guys to help us get it right,” Tusk said, “But my view is less that the greatest threat to our democracy is the risk of hacking. The greatest threat to our democracy is that nobody votes. It just seems to me if we say it’s too risky to try this new thing, we’re throwing in the towel.”